Level of Assurance

Full Title

Early Identity Assurance combined Identity Proofing and Authentication into a single list of four Level of Assurance criteria.

Context

Specification from NIST and ISO are general and difficult to apply in real world situations.

Solutions

Federations are likely to specify a detailed set of criteria that apply to their particular circumstances.

Healthcare

• Healthcare Exchange Standards Discussions of Interoperability Exchange, Privacy, and Security in Healthcare by John Moehrke -

  CyberPrivacy. Topics: Health Information Exchange, Document Exchange XDS/XCA/MHD, mHealth, Meaningful Use, Direct, Patient Identity, Provider Directories, FHIR, Consent, Access Control, Audit Control, Accounting of Disclosures, Identity, Authorization, Authentication, Encryption, Digital Signatures, Transport/Media Security, De-Identification, Pseudonymization, Anonymization, and Blockchain.

• National HIE Governance Forum - Identity and Access Management for Health Information Exchange
• Direct Trust response to Request for Information on Updates to ONC’s Voluntary Personal Health Record Model Privacy Notice, 2016-04239

References

• NIST SP 800-63-1
• NIST SP 800-63-2
• ISO/IEC 29115 Entity Authentication Assurance - was based on 63-2, but has been withdrawn pending upcoming changes from NIST.
• NIST SP 800-63-3
• NISTIR 8344 a draft Ontology of Authentication release in 2021-02, comments due on 2021-04-09. It is expected that the ideas on IAA and OAA in tis doc will be carried forward to 63-4.